Overview

overview

6

Static

static

1

Screen_Rec...28.mp4

windows7-x64

1

Screen_Rec...28.mp4

windows10-2004-x64

6

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/08/2024, 19:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Screen_Recording_20240802_210028.mp4

  • Size

    7.6MB

  • MD5

    e06ffcaf40b56c6a6f23529c69194f49

  • SHA1

    c33b56c2ebafcc9db29dfdc18b79f264d12beb36

  • SHA256

    20fcdd16f39016ad9b0fb620d78781f33d810b8cd12afab033dff7af8c05f9fc

  • SHA512

    df1a766e312f7c87e5d28a1b3af7a8a8613dc2dc735b04a7f3e6a23f829156552680c7e934097cbdcd0103263a8fda932d62b48d81064d8b46abb226716b36a6

  • SSDEEP

    196608:UkYKWJcUZIcupMdWIUZP7D0RgQoHPlkRNXlkM5M:/jWJccINK4Q8kRhlkuM

Score
6/10
discovery

Malware Config

Signatures

  • Drops desktop.ini file(s) 7 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Screen_Recording_20240802_210028.mp4"
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4504
    • C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4052
      • C:\Windows\system32\unregmp2.exe
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        3⤵
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        PID:3224
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
    1⤵
    • Drops file in Windows directory
    PID:4008
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x4b0 0x4f8
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1116

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
    Filesize

    512KB

    MD5

    ac3ee86217156be8e5269ec5e3e8c6d9

    SHA1

    79a95126e8c98ea46e602a72a56bd64b6859d2db

    SHA256

    cc4fce97c0c1ef96395d20f96add156b547ef9a03967373e41fd627d8047dd6e

    SHA512

    68142b57a3a5332a5cf97e5b7d954a803b1fe8d02670cc614b57b1e7daded2ad2358de240f7defd436256e702b008ba74078744c14b7261d19b936c1b709574e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
    Filesize

    1024KB

    MD5

    51eb1fc437074b4708e00046489e52bd

    SHA1

    6f6ea9b47704008711348422d397cd7724625f40

    SHA256

    2ab8478c8d6a46a613df7de2583c2fd7777345045a1c18d52244ed302b955df4

    SHA512

    ae830b06d19f1cf2c7d6972c5a1905750b123b3e561be208a6e13a43f1ed136e7e9611fc6ac9d94be8705f01c85aee2c6db9d15e95e5fbe5bad4448515b16988

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
    Filesize

    68KB

    MD5

    9f16e181f16e7c4a0fd416848b287146

    SHA1

    769e9721fd562dcf8c327ec9eac29dcd9a6d54a3

    SHA256

    e195a89b80c5956ed9c356c51cc62c43ea7cd8033d0c5bcb04667c680d7d581b

    SHA512

    df443eea47e8af08c72e5cba377662020d14746d90217cad0d421b175f2f849e9d84bcc23352074cc92d081e3c6b1d208df9ac45ac2fe7851a2f412d452d470f

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
    Filesize

    498B

    MD5

    90be2701c8112bebc6bd58a7de19846e

    SHA1

    a95be407036982392e2e684fb9ff6602ecad6f1e

    SHA256

    644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

    SHA512

    d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
    Filesize

    9KB

    MD5

    7050d5ae8acfbe560fa11073fef8185d

    SHA1

    5bc38e77ff06785fe0aec5a345c4ccd15752560e

    SHA256

    cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

    SHA512

    a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
    Filesize

    1KB

    MD5

    63d352a6d63f7be9881d24c2c629e034

    SHA1

    c7e24a61650fec90a580c2ed90409b0eb6363fd1

    SHA256

    82e8d5105eb9aa356d6dffe5109fc05e56db89fd7fbf5e0f9082f6afc5d71c93

    SHA512

    8f883ed77dd879521099f96fe23142703cd362f1176c07eef7146abd4bc99efcc94630e2983b988a500345665899a8cf485d8601d5f21289a442110e327e8b4f

    Download Submit

  • memory/4504-37-0x0000000006410000-0x0000000006420000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4504-33-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4504-34-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4504-38-0x0000000006440000-0x0000000006450000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4504-39-0x0000000006440000-0x0000000006450000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4504-41-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4504-40-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4504-42-0x0000000006440000-0x0000000006450000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4504-32-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4504-31-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4504-57-0x0000000007630000-0x0000000007640000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4504-64-0x0000000007630000-0x0000000007640000-memory.dmp

    Filesize

    64KB

    Download